The TWPLY.com sale and what it may mean to twitter users.

Qwest · 01-04-2009, 10:30 AM

The twitter phishing plot thickens (and gets a little more serious).

An article on centernetworks dated 1 January 2009 is making the rounds on twitter. It talks about how TWPLY.com went from obscurity to having thousands of people's twitter account login details in matter of days. It is keenly interesting because of it's possible relationship to the great twitter phishing scandal of 2009. But more importantly it raises a few very scary concerns.

A lot of these new twitter based startups, because of the way the twitter API works and through no fault of their own, require your actual twitter password to work. The problem is, for some of us, our twitter account security has become just as important as any other login we use on the net. Especially those of us who have accounts with a lot (thousands) of followers.

The issue this raises is that these very internet startups can take your account login information with every good intention but be sold later, or in this case within a month, to someone who has no scruples about using your information for evil. They could care less about the agreement between you and the site/service that you clicked the checkbox to agree to when you signed up for the service. They just want to use your account to spam your followers and potentially get paid!

Where does this leave us? Well I for one hate it because it gives those of us trying to build products and services for twitter users, or even market legitimately on twitter a very bad name. But the fact is, most any of these new fly-by-night twitter services can be created, bought and sold, amongst amateur webmasters within weeks. Right along with your twitter username and password.

There certainly needs to be a way for usernames and passwords to be stored encrypted and passed encrypted to twitter. That won't stop spammers completely since an unscrupulous spammer can just take the database with encrypted passwords and connect to twitter via the api just like the website itself does, only to spam. But it will at least keep these twitter services from having to store people's passwords, that they may be using for online banking and other things, unencrypted. Which in my opinion is the bigger danger here. What happens if the server hosting the twitter service or app gets compromised?

I'm going to ask @twitterapi about this today.

01-04-2009, 10:30 AM	#1 (permalink)
Qwest Status: Administrator Join Date: Dec 2008 Location: Illinois Posts: 15 twitter: twitplace Rep Power: 10	The TWPLY.com sale and what it may mean to twitter users. The twitter phishing plot thickens (and gets a little more serious). An article on centernetworks dated 1 January 2009 is making the rounds on twitter. It talks about how TWPLY.com went from obscurity to having thousands of people's twitter account login details in matter of days. It is keenly interesting because of it's possible relationship to the great twitter phishing scandal of 2009. But more importantly it raises a few very scary concerns. A lot of these new twitter based startups, because of the way the twitter API works and through no fault of their own, require your actual twitter password to work. The problem is, for some of us, our twitter account security has become just as important as any other login we use on the net. Especially those of us who have accounts with a lot (thousands) of followers. The issue this raises is that these very internet startups can take your account login information with every good intention but be sold later, or in this case within a month, to someone who has no scruples about using your information for evil. They could care less about the agreement between you and the site/service that you clicked the checkbox to agree to when you signed up for the service. They just want to use your account to spam your followers and potentially get paid! Where does this leave us? Well I for one hate it because it gives those of us trying to build products and services for twitter users, or even market legitimately on twitter a very bad name. But the fact is, most any of these new fly-by-night twitter services can be created, bought and sold, amongst amateur webmasters within weeks. Right along with your twitter username and password. There certainly needs to be a way for usernames and passwords to be stored encrypted and passed encrypted to twitter. That won't stop spammers completely since an unscrupulous spammer can just take the database with encrypted passwords and connect to twitter via the api just like the website itself does, only to spam. But it will at least keep these twitter services from having to store people's passwords, that they may be using for online banking and other things, unencrypted. Which in my opinion is the bigger danger here. What happens if the server hosting the twitter service or app gets compromised? I'm going to ask @twitterapi about this today.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode